Aviate isn't 'spying' on anyone, it's just being sloppy with your data

Storing your location and installed apps in plain text is at issue here, not collecting that data in the first place

A lot of fuss is being made about the Aviate launcher the past couple days, with things hitting a fever pitch today. Besides the endless requests for invite codes on every social media site known to modern man, it's come to light that the launcher is sharing the data it collects on you with the world. Sort of.

Let's back up a tad. Aviate is a launcher that reconfigures itself — the apps it thinks you need to see right this second — depending on where you are. It's been in private beta for a while, and opened up to more users this week.

The to-do is that your location and list of installed apps are available via a publicly accessible API — but only if you know your unique device identifier. That's not good, but it's not necessarily the end of the world, either.

The good news is that Aviate has said this is something they are fixing, and have made it a top priority. (Update: Looks like the web access has been killed, as promised.) In the meantime, here's what you need to know if you're going to use the app.

First, let's tackle the data collection. The main points of contention seem to be that the folks at Aviate track which apps you have installed and use — kind of an important thing for a launcher to know — and your precise location via longitude and latitude coordinates. I'm not sure why this surprises (or outrages) everyone, because it needs both these things to do what the app does. And both of these things are declared in the app's list of permissions. In fact, let's have a look at the long list of permissions. As you can see, Aviate asks to do everything except borrow your car.

Your accounts

create accounts and set passwords

read Google service configuration

find accounts on the device

Your location

precise location (GPS and network-based)

Network communication

full network access

view Wi-Fi connections

view network connections

receive data from Internet

connect and disconnect from Wi-Fi

Your personal information

read calendar events plus confidential information

Phone calls

read phone status and identity

Storage

modify or delete the contents of your USB storage

System tools

mock location sources for testing

read Home settings and shortcuts

write Home settings and shortcuts

send sticky broadcast

modify system settings

test access to protected storage

Your applications information

retrieve running apps

Bluetooth

pair with Bluetooth devices

access Bluetooth settings

Affects Battery

prevent device from sleeping

control vibration

Alarm

set an alarm

Sync Settings

read sync settings

toggle sync on and off

Wallpaper

set wallpaper

adjust your wallpaper size

Aviate sorts your apps into categories and pages based on time of day, or where you are. When you're at work, you have a work screen with productivity apps. When you're at home, you have entertainment-based apps like Netflix on your screen. Aviate needs to know what apps you have installed — and where you are — to do this. Aviate also makes it very clear in the permissions that the app will be collecting this, and more. If we want an application that shows us apps based on where we are and what we're doing, the app needs to know where we are and what apps we have installed.

If the location and installed apps list wasn't in plain text, we wouldn't be having this conversation.

This isn't "spying," because you asked Aviate to do it when you installed the app.

The way Aviate stores and transmit this data, on the other hand, is worth questioning.

If you visit a URL at Aviate's site using your device ID, you get a plain-text listing of your location and installed apps. The URL, for those who want to check, is http://www.getaviate.com/search/api/v3/devices/DEVICEID. You can find your device ID in the system's logcat file, or find it by clicking on the "Help" button in the app. Click here for an example if this is all over your head. The issue is two-fold:

Anyone with a web browser can see your data if they know your unique ID

Anyone sniffing traffic can see your data because it's in plain text

There is no reasonable excuse for Aviate to do things this way. While your device ID isn't exactly easy to guess, another application developer can get access to it with just a few lines of code. Do you want someone to have the exact location where you — or your kids — sleep every night? I don't.

The Aviate app isn't my cup of tea, and I tried and quickly uninstalled it anyway. But there's a lot of traction behind it, and for a lot of people it does the things they want. The developers have to get this mess straightened out, and soon. They may not be spying on you, but they are sharing the information you gave them with everyone else.

I actually laughed out loud at the "all seven people" comment. Sincerely thought it was a good line.

However, I didn't see Jerry excuse any privacy holes here. He explicitly stated that the lack of securely storing your private information was bad, but that the company wasn't being unscrupulous by "spying" to get that information in the first place.

with all due respect - sometimes these apps/sites slip in these questionable privacy permissions in such a way that it is difficult for a layman or non-techie to see or recognize. and then you have companies like Facebook - who hide the settings under layers of a confusing byzantine style system menu - and even worse - they keep constantly changing/adding to the permissions/settings/controls. i'm all for personal responsibility - but some of these apps/sites really make it difficult (on purpose or not) to see WTF you're signing up for and signing away. i consider myself relatively technically savvy (but i'm no Jerry) and i have difficulty looking at many apps permissions and figuring out what's kosher and what's not. many times it comes down to trust - do i trust the developer? - and admittedly - that's not a great policy! i'm not saying they do it on purpose - but sloppy or malevolent are both bad - because the end result is the same - bad!

p.s. it's funny to see - even after this - the sheep are still asking for invites on this very thread! ha!

Assuming someone has my device id they learn what? Where I am and what apps I've used? Who cares? The person standing next to me knows where I am and if he looks over my shoulder at my phone he can see what app I'm using. So what?

Obviously, this information needs to be encrypted but it blows my mind that folks who live in a country where your name, address and phone number was published in a book that was dropped regularly on everyone's doorstep AND where you had to pay the phone company to not divulge that information complain about innocuous information getting out. We may live in an over-share culture but we also live in an over-paranoid culture.

This post pretty much contradicts your prior post that puts the whole burden on the person who installed the app.

If you went through your phone and rigorously evaluated permissions and deleted any app that (for sake of argument) had access to your phone calls, or your contacts, you would be left with nothing on your phone.

Often the developer will tell you that the only reason they need to access your phone calls is to save your game progress, or stop making sounds when a call comes in. But we don't really know that do we? And if we trust that developer, (why the hell should we), we then assume all apps that say they can access your phone calls are doing it for the same reason. Are they?

You don't get a choice on bloatware.
But you don't get a choice on most apps either.

Look at an app that everyone has, Lookout. Why can this thing send email to my contacts without my permission? Why should it get to modify my calendar, and send emails to calendar event guests?

Its a forced choice, you buy a phone, and by doing so you surrender far more information than you intended. You can't use the phone for the purpose it was intended, without giving up more than you bargained for.
You buy and app and again same camels nose under the tent.

Its fine and dandy to make a blanket statement that you installed it so it must be your fault, and that sounds authoritative, but its really false in the real world.

There was something I read here on AC about a coming capability to retroactively go in and strip some access away from apps. If the apps then fail, well so be it. But my Lookout app has no business sending email to anyone but me. Thats what I assumed it needed email for. That's all that was mentioned when I installed it.

So, explain how the choice was taken away to not install an app because you don't like the permissions?

Explain why you somehow can't disable applications that have permissions you don't like, when every one else can.

Not understanding is the reason to NOT install, not to install anyway and pretend it was someone else's fault. Google's less-than-informative way they tell permissions should only lead to less applications being installed because people do not understand. If people do not understand and install anyway, that's their choice and responsibility.

Saying "you don't have a choice" is bullshit. You always have a choice, even though it may not be one you like.

Lookout needs permission to send mail on your behalf to report issues to them. Because they will have access to that function, the app could also send information to your contacts, including information about other contacts. To be Exchange compatible, calendar events can be sent from the contacts application. You can stop this from happening by removing Exchange compatibility, or by not allowing bug reports or malware data to be sent to Lookout, or by not installing and/or disabling the Lookout app.

An iPhone works the same way. So does a Windows phone. So does a BlackBerry, though they have to be able to enforce BES restrictions and permissions can be revoked at the risk of applications not working — like not being able to contact Lookout from the app if you don't feel safe with calendar entries being exposed, and having an app that does not work as intended.

The difference is Google tells us during the install process — but only half the story. The above is why. It's damn near impossible to cover every possible scenario of why an application needs/wants a certain permission. They should be able to figure it out, because they pay some really good people a whole lot of money to figure things out. In the meantime, it is the developers who should be suffering over it if people bother to read what they are installing. Instead, people just click away. That's good for developers, but not so much for the users.

I've been talking to you on and off in these comments for what, about 3 years now? I know you get this. I know Google could make it very easy for you to understand this. But some people need a lot of spoon-feeding with this sort of thing. Google needs to get out some spoons.

tl;dr — Read it. Understand before you click. If you click anyway, it's your fault. If you don't click and a dev doesn't get paid, it's Google's fault.

I agree with you Jerry. If you give permission you are responsible. This is why it would be nice for androidcentral to actually "teach" responsibility. For example, when you review apps, you could make it a staple to evaluate app permissions, break down why an app needs what, and be more critical when permissions are overly permissible. Sometimes this comes up, but I think it might be a good idea to be more systematic about it.

I don't remember reading about storing personal information in plain text in the permissions. Also never read about sending CC info in any app.
So what is your point, we are responsible for stupid or criminal acts by developers?

The point is you agreed to share that info with them. They can use it anyway they see fit because you shared it. What if they aren't upstanding devs or the best stewards of your info? Doesn't matter you accepted the permissions and you installed the FREE app.

The point is you agreed to share that info with them. They can use it anyway they see fit because you shared it. What if they aren't upstanding devs or the best stewards of your info? Doesn't matter you accepted the permissions and you installed the FREE app.

Privacy is something that should never be taken lightly. Fact of the matter is many people are quite cavalier when it comes to how they conduct business online. While some may not use Twitter, Facebook, Foursquare, etc., they may install applications like this if they feel it serves a greater good.

Take away the FUD about this news story and you have a developer that released an application for Android in which information was not handled properly. Because it was in plain-text, anyone with the right access could get information on you. Sure, this "access" may have been open to a privileged few that are savvy enough to find your ID and visit the site. However, that should not have ever been a concern. Yes, take my information in order to make an intelligent app that is designed to help me. But no, DO NOT take this data and improperly store it where people with the desire and know how can just go ahead and rob me blind.

If people really want to gain unfettered access to your personal information, they will uncover a way to do so. It may be costly, time intensive and full of risk - but that is only because the reward in doing so outweighs the negative aspects. I expect to encounter situations where either my personal information was compromised due to my error or a breach of security. This is why I use two-step authentication. This is why I pay for a business account with Google in the event I need further support. This is why I have my original account setup information printed and locked away in a safe deposit box should I ever be locked out of my account.

You can't tell me the worst scenarios don't happen. Sometimes I need protection from the world I live in, but at times I need protection from myself as well. When a company takes trust (misplaced or otherwise) you have put on them with your information and tosses it out the window, someone needs to be held accountable. Sending my credit card number to China? Unlikely. But to someone who socially engineered a "hack" by posing as a debt collector - that's happened before to my wife. Luckily $250 can be made up for working additional hours.

Boy, there sure are a lot of highly sought after people on AC. Hate to bare the bad news...but take it from someone who's spent years in prison, the only criminals worried about where your location is are murderers.

Criminals want social security numbers, credit card numbers are real personal information they can sell or benefit from.. Not what apps you have installed. Address it and get over it. You aren't that important.

I agree with Jerry, and I myself, would like specific info about the permissions needed and why they are needed. I too, installed Aviate and quickly uninstalled. It just wasn't for me. Shoot, sometimes with New Updates, come new riskier permissions. No thank you. I'll be fine with previous versions unless they completely affect the app.

Oh, to the gentleman who spent time behind bars, it's not the apps they want, it's the information the apps can put out. Read peoples' previous comments.

Used the app for a few days now and it isn't all it cracked up to be. Keeps detecting the wrong location. Is cumbersome to find the app you need since it seems mis-categorise my apps. I have invites left but to be honest... I wouldn't recommend it just now. I've uninstalled it.

Portions of this page are modifications based on work created and shared by the Android Open Source Project
and used according to terms described in the Creative Commons 2.5 Attribution License. AndroidCentral is an independent site
that is not affiliated with or endorsed by Google.